Race is On To Notify Owners After Public List of IoT Device Credentials Published

Researchers are in a full-out sprint to notify the owners of a substantial list of connected devices and associated telnet credentials that has been available on Pastebin since June but gone viral since Thursday when it was posted on Twitter.

The list has more than 20,000 views as of Saturday morning, up substantially from fewer than 1,000 on Thursday.

The credentials, many of which are default and known (i.e., admin:admin, root:root, or no authentication required) afford anyone access to a multitude of routers and other devices. Similar devices been co-opted in the last nine months to carry out DDoS attacks against a number of high-value targets.

Victor Gevers, founder of the GDI Foundation, has analyzed the list and told Threatpost Friday afternoon that of the 33,000-plus IP addresses on the list, 1,775 were still reachable.

“The other ones were ‘filtered’ so the telnet service was not reachable anymore,” Gevers said, adding that he sent emails to the 1,775 reachable hosts warning them to change their credentials and/or close off telnet access. Most of the reachable IPs (61 percent), he said, were in China, and most of the remaining in the rest of Asia.

Many of the 33,000 IP addresses on the list are duplicates, some 10 times over, indicating either there are multiple accounts on the same IP, or they’ve already been abused over and over.

“They are starting to behave [badly] and end up on an IP-block list,” Gever said.

Some of the default credentials have been changed already, and Gevers said there are more than 8,200 unique hosts, and 2,174 still running open telnet services as of Friday.

The Pastebin was found by researcher Ankit Anubhav who made the data public for other researchers. The account has been viewed more than 36,000 times. The Pastebin also contains numerous other scripts, some with malicious-sounding names such as “Easy To Root Kit,” “Mirai Bots,” “Mirai-CrossCompiler,” “Apache Struts 2 RCE Auto-Exploiter v2),” “Slowloris DDoS Attack Script,” and many others referring to known and recent attacks or disclosures.

“This person who pasted the Pastbin has a collection of scripts that could have been used [maliciously],” Gevers said.

Gever said that as of Friday afternoon, he had 12 replies to his email notifications and a few direct messages on Twitter.

Any time a situation like this surfaces, people harken back to the Mirai attacks of October 2016. Mirai is the name of the malware that automates the infection of connected internet of things devices and corrals them into botnets.

Infamously, a Mirai botnet was used to take down DNS provider Dyn, taking with it a handful of popular internet services. It was also used to DDoS French webhost OVH and security news site Krebs on Security.

That botnet was composed mostly of IP-enabled cameras and DVRs, the first time connected devices had been abused in such a public fashion, at the same time heralding a new age of awareness around the insecurity of these devices. Experts cautioned that this problem extends beyond security cameras and DVRs, and that IoT vulnerabilities can be leveraged against connected health care devices and critical infrastructure.

Expert Bruce Schneier, for one, testified before a Congressional committee that market forces would not be enough to solve this issue, and that legislation might be inevitable.